Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon Read online

  Copyright © 2014 by Kim Zetter

  All rights reserved.

  Published in the United States by Crown Publishers, an imprint of the Crown Publishing Group, a division of Random House LLC, a Penguin Random House Company, New York.

  www.crownpublishing.com

  CROWN and the Crown colophon are registered trademarks of Random House LLC.

  Portions of this work were originally published in different form in “How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History” copyright © Wired.​com. Used with permission. First published July 2011.

  Cataloging-in-Publication data is on file with the Library of Congress.

  ISBN 978-0-7704-3617-9

  eBook ISBN 978-0-7704-3618-6

  PRINTED IN THE UNITED STATES OF AMERICA

  Jacket design by Oliver Munday

  Jacket photograph: DigitalGlobe/Getty Images

  v3.1

  For SC and for my parents—with love and great gratitude, though gratitude is insufficient for all that you’ve done.

  CONTENTS

  Cover

  Title Page

  Copyright

  Dedication

  Prologue: The Case of the Centrifuges

  1. Early Warning

  2. 500 Kilobytes of Mystery

  3. Natanz

  4. Stuxnet Deconstructed

  5. Springtime for Ahmadinejad

  6. Digging for Zero Days

  7. Zero-Day Paydays

  8. The Payload

  9. Industrial Controls Out of Control

  10. Precision Weapon

  11. A Digital Plot Is Hatched

  12. A New Fighting Domain

  13. Digital Warheads

  14. Son of Stuxnet

  15. Flame

  16. Olympic Games

  17. The Mystery of the Centrifuges

  18. Qualified Success

  19. Digital Pandora

  Acknowledgments

  PROLOGUE

  THE CASE OF THE CENTRIFUGES

  It was January 2010 when officials with the International Atomic Energy Agency (IAEA), the United Nations body charged with monitoring Iran’s nuclear program, first began to notice something unusual happening at the uranium enrichment plant outside Natanz in central Iran.

  Inside the facility’s large centrifuge hall, buried like a bunker more than fifty feet beneath the desert surface, thousands of gleaming aluminum centrifuges were spinning at supersonic speed, enriching uranium hexafluoride gas as they had been for nearly two years. But over the last weeks, workers at the plant had been removing batches of centrifuges and replacing them with new ones. And they were doing so at a startling rate.

  At Natanz each centrifuge, known as an IR-1, has a life expectancy of about ten years. But the devices are fragile and prone to break easily. Even under normal conditions, Iran has to replace up to 10 percent of the centrifuges each year due to material defects, maintenance issues, and worker accidents.

  In November 2009, Iran had about 8,700 centrifuges installed at Natanz, so it would have been perfectly normal to see technicians decommission about 800 of them over the course of the year as the devices failed for one reason or another. But as IAEA officials added up the centrifuges removed over several weeks in December 2009 and early January, they realized that Iran was plowing through them at an unusual rate.

  Inspectors with the IAEA’s Department of Safeguards visited Natanz an average of twice a month—sometimes by appointment, sometimes unannounced—to track Iran’s enrichment activity and progress.1 Anytime workers at the plant decommissioned damaged or otherwise unusable centrifuges, they were required to line them up in a control area just inside the door of the centrifuge rooms until IAEA inspectors arrived at their next visit to examine them. The inspectors would run a handheld gamma spectrometer around each centrifuge to ensure that no nuclear material was being smuggled out in them, then approve the centrifuges for removal, making note in reports sent back to IAEA headquarters in Vienna of the number that were decommissioned each time.

  IAEA digital surveillance cameras, installed outside the door of each centrifuge room to monitor Iran’s enrichment activity, captured the technicians scurrying about in their white lab coats, blue plastic booties on their feet, as they trotted out the shiny cylinders one by one, each about six feet long and about half a foot in diameter. The workers, by agreement with the IAEA, had to cradle the delicate devices in their arms, wrapped in plastic sleeves or in open boxes, so the cameras could register each item as it was removed from the room.

  The surveillance cameras, which weren’t allowed inside the centrifuge rooms, stored the images for later perusal. Each time inspectors visited Natanz, they examined the recorded images to ensure that Iran hadn’t removed additional centrifuges or done anything else prohibited during their absence.2 But as weeks passed and the inspectors sent their reports back to Vienna, officials there realized that the number of centrifuges being removed far exceeded what was normal.3

  Officially, the IAEA won’t say how many centrifuges Iran replaced during this period. But news reports quoting European “diplomats” put the number at 900 to 1,000. A former top IAEA official, however, thinks the actual number was much higher. “My educated guess is that 2,000 were damaged,” says Olli Heinonen, who was deputy director of the Safeguards Division until he resigned in October 2010.

  Whatever the number, it was clear that something was wrong with the devices. Unfortunately, Iran wasn’t required to tell inspectors why they had replaced them, and, officially, the IAEA inspectors had no right to ask. The agency’s mandate was to monitor what happened to uranium at the enrichment plant, not keep track of failed equipment.

  What the inspectors didn’t know was that the answer to their question was right beneath their noses, buried in the bits and memory of the computers in Natanz’s industrial control room. Months earlier, in June 2009, someone had quietly unleashed a destructive digital warhead on computers in Iran, where it had silently slithered its way into critical systems at Natanz, all with a single goal in mind—to sabotage Iran’s uranium enrichment program and prevent President Mahmoud Ahmadinejad from building a nuclear bomb.

  The answer was there at Natanz, but it would be nearly a year before the inspectors would obtain it, and even then it would come only after more than a dozen computer security experts around the world spent months deconstructing what would ultimately become known as one of the most sophisticated viruses ever discovered—a piece of software so unique it would make history as the world’s first digital weapon and the first shot across the bow announcing the age of digital warfare.

  * * *

  1 The number of inspection visits to Natanz has increased since this period. Beginning in 2010, inspections increased to once a week, and after a new agreement with Iran in late 2013, inspectors are now on-site at Natanz every day.

  2 IAEA inspectors are not allowed to remove the recorded images from Natanz and can only view them on-site, where they are stored.

  3 Inspectors visiting Natanz and other nuclear facilities around the world rotate on a regular basis, so the same IAEA inspectors don’t visit every time. This is why the large number of decommissioned centrifuges didn’t get noticed until after several reports of changing numbers arrived in Vienna and got viewed in the aggregate by analysts and officials there.

  CHAPTER 1

  EARLY WARNING

  Sergey Ulasen is not the sort of person you’d expect to find at the center of an international incident. The thirty
-one-year-old Belarusian has close-cropped blond hair, a lean boyish frame, and the open face and affable demeanor of someone who goes through life attracting few enemies and even fewer controversies. One of his favorite pastimes is spending the weekend at his grandmother’s country house outside Minsk, where he decompresses from weekday stresses, far from the reach of cell phones and the internet. But in June 2010, Ulasen encountered something unusual that soon propelled him into the international spotlight and into a world of new stress.1

  It was a warm Thursday afternoon, and Ulasen, who headed the antivirus division of a small computer security firm in Belarus called Virus-BlokAda, was seated with his colleague Oleg Kupreev in their lab in downtown Minsk inside a drab, Soviet-era building about a block from the Svisloch River. They were sifting methodically through suspicious computer files they had recently found on a machine in Iran when something striking leapt out at Kupreev. He sat back in his chair and called Ulasen over to take a look. Ulasen scrolled through the code once, then again, to make sure he was seeing what he thought he saw. A tiny gasp escaped his throat. The code they had been inspecting the past few days, something they had until now considered a mildly interesting but nonetheless run-of-the-mill virus, had just revealed itself to be a work of quiet and diabolical genius.

  Not only was it using a skillful rootkit to cloak itself and make it invisible to antivirus engines, it was using a shrewd zero-day exploit to propagate from machine to machine—an exploit that attacked a function so fundamental to the Windows operating system, it put millions of computers at risk of infection.

  Exploits are attack code that hackers use to install viruses and other malicious tools onto machines. They take advantage of security vulnerabilities in browser software like Internet Explorer or applications like Adobe PDF Reader to slip a virus or Trojan horse onto a system, like a burglar using a crowbar to pry open a window and break into a house. If a victim visits a malicious website where the exploit lurks or clicks on a malicious e-mail attachment containing an exploit, the exploit uses the security hole in the software to drop a malicious file onto their system. When software makers learn about such holes in their products, they generally produce “patches” to close them up and seal the intruders out, while antivirus firms like Ulasen’s add signatures to their scanners to detect any exploits that try to attack the vulnerabilities.

  Zero-day exploits, however, aren’t ordinary exploits but are the hacking world’s most prized possession because they attack holes that are still unknown to the software maker and to the antivirus vendors—which means there are no antivirus signatures yet to detect the exploits and no patches available to fix the holes they attack.

  But zero-day exploits are rarely found in the wild. It takes time and skill for hackers to discover new holes and write workable exploits to attack them, so the vast majority of hackers simply rely on old vulnerabilities and exploits to spread their malware, counting on the fact that most computer users don’t often patch their machines or have up-to-date antivirus software installed, and that it can take vendors weeks or months to produce a patch for a known hole. Although more than 12 million viruses and other malicious files are captured each year, only about a dozen or so zero-days are found among them. Yet here the attackers were using an extremely valuable zero-day exploit, and a skillful rootkit, for a virus that, as far as Ulasen and Kupreev could tell, had been found only on machines in Iran so far. Something didn’t add up.

  THE MYSTERY FILES had come to their attention a week earlier when a reseller of VirusBlokAda’s security software in Iran reported a persistent problem with a customer’s machine in that country. The computer was caught in a reboot loop, crashing and rebooting repeatedly while defying the efforts of technicians to control it.2 VirusBlokAda’s tech-support team had scanned the system remotely from Minsk to look for any malware their antivirus software might have missed, but came up with nothing. That’s when they called in Ulasen.

  Ulasen had been hired by the antivirus firm while still in college. He was hired to be a programmer, but the staff at VirusBlokAda was so small, and Ulasen’s skills so keen, that within three years, at the age of twenty-six, he found himself leading the team that developed and maintained its antivirus engine. He also occasionally worked with the research team that deconstructed malicious threats. This was his favorite part of the job, though it was something he rarely got to do. So when the tech-support team asked him to weigh in on their mystery from Iran, he was happy to help.3

  Ulasen assumed the problem must be a misconfiguration of software or an incompatibility between an application installed on the machine and the operating system. But then he learned it wasn’t just one machine in Iran that was crashing but multiple machines, including ones that administrators had wiped clean and rebuilt with a fresh installation of the operating system. So he suspected the culprit might be a worm lurking on the victim’s network, reinfecting scrubbed machines each time they were cleaned. He also suspected a rootkit was hiding the intruder from their antivirus engine. Ulasen had written anti-rootkit tools for his company in the past, so he was confident he’d be able to hunt this one down if it was there.

  After getting permission to connect to one of the machines in Iran and remotely examine it, Ulasen and Kupreev zeroed in on six suspicious files—two modules and four other files—they thought were the source of the problem.4 Then with help from several colleagues in their lab, they spent the next several days picking at the files in fits and starts, hurling curses at times as they struggled to decipher what turned out to be surprisingly sophisticated code. As employees of a small firm that mostly developed antivirus products for government customers, they weren’t accustomed to taking on such complex challenges: they spent most of their days providing routine tech support to customers, not analyzing malicious threats. But they pressed forward nonetheless and eventually determined that one of the modules, a driver, was actually a “kernel-level” rootkit, as Ulasen had suspected.5

  Rootkits come in several varieties, but the most difficult to detect are kernel-level rootkits, which burrow deep into the core of a machine to set up shop at the same privileged level where antivirus scanners work. If you think of a computer’s structure like the concentric circles of an archer’s target, the kernel is the bull’s eye, the part of the operating system that makes everything work. Most hackers write rootkits that operate at a machine’s outer layers—the user level, where applications run—because this is easier to do. But virus scanners can detect these—so a truly skilled hacker places his rootkit at the kernel level of the machine, where it can subvert the scanner. There, it serves as a kind of wingman for malicious files, running interference against scanners so the malware can do its dirty work unhindered and undetected. Kernel-level rootkits aren’t uncommon, but it takes sophisticated knowledge and a deft touch to build one that works well. And this one worked very well.6

  Kupreev determined that the rootkit was designed to hide four malicious .LNK files—the four other suspicious files they’d found on the system in Iran. The malware appeared to be using an exploit composed of these malicious files to spread itself via infected USB flash drives, and the rootkit prevented the .LNK files from being seen on the flash drive. That’s when Kupreev called Ulasen over to have a look.

  Exploits that spread malware via USB flash drives aren’t as common as those that spread them over the internet through websites and e-mail attachments, but they aren’t unheard of, either. All of the USB exploits the two researchers had seen before, however, used the Autorun feature of the Windows operating system, which allowed malicious programs on a USB flash drive to execute as soon as the drive was inserted in a machine. But this exploit was more clever.7

  Windows .LNK files are responsible for rendering the icons for the contents of a USB flash drive or other portable media device when it’s plugged into a PC. Insert a USB flash drive into a PC, and Windows Explorer or a similar tool automatically scans it for .LNK files to display the icon for a music file, Wor
d document, or program stored on the flash drive.8 But in this case, the attackers embedded an exploit in a specially crafted .LNK file so that as soon as Windows Explorer scanned the file, it triggered the exploit to spring into action to surreptitiously deposit the USB’s malicious cargo onto the machine, like a military transport plane dropping camouflaged paratroopers onto enemy territory.

  The .LNK exploit attacked such a fundamental feature of the Windows system that Ulasen wondered why no one had thought of it before. It was much worse than Autorun exploits, because those could be easily thwarted by disabling the Autorun feature on machines—a step many network administrators take as a matter of course because of Autorun’s known security risk. But there is no way to easily disable the .LNK function without causing other problems for users.

  Ulasen searched a registry of exploits for any others that had used .LNK files in the past, but came up with nothing. That was when he suspected he was looking at a zero-day.

  He took a USB flash drive infected with the malicious files and plugged it into a test machine running Windows 7, the newest version of the Microsoft operating system. The machine was fully patched with all the latest security updates. If the .LNK exploit was already known to Microsoft, patches on the system would prevent it from dropping the malicious files onto the machine. But if the .LNK exploit was a zero-day, nothing would stop it. He waited a few minutes to examine the computer and, sure enough, the malicious files were there.

  He couldn’t believe it. VirusBlokAda, a tiny security firm that few in the world had ever heard of, had just discovered that rarest of trophies for a virus hunter. But this wasn’t just any zero-day exploit; it was one that worked against every version of the Windows operating system released since Windows 2000: the attackers had bundled four versions of their exploit together—in four different .LNK files—to make sure their attack worked against every version of Windows it was likely to encounter.9